ID. Date of interview 
date 42/92/20 


ID. Time interview started 
start 49-97-99 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
12:33:14 


ID. Duration of interview 
time 5.75 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

© No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


- Practical steps for ensuring the privacy and security of individuals in dealings with organisations around 
requests - Effective triaging of requests and standardised, accessible messaging so the majority can get 
serviced quickly - Creating a culture of respect and ‘customer service’ around individuals’ data rights 
which goes beyond regulatory obligations and the privacy office 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


- There is a focus in the guidance on centralized teams, processes and responses. How does the ICO 
recommend dealing with a ‘market event’ which could overload these? - How can the ICO empower 
people across organisations to enter in dialogue with citizens as part of ‘business as usual’ rather than a 
paralegal process? - How can organisations enter data dialogue with subjects and answer the most 
common question “why do you have my data” question as quickly and simply as possible? 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Examples should be provided to guide organisations to: - move beyond obligations and proactively 
provide basic information as response to requests which requires lower levels of ID verification and data 
discovery. - Use data points and templated responses to provide information over and beyond regulatory 
obligations, in a clear and accessible way. - Share and surface details and volumes of requests received, 
processed and fulfilled to move beyond assumptions around SARs being ‘tools of the aggrieved’ and 
having a recognized, wider social benefit in the same way as FOI requests 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 


unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


It would help for balance to solicit and include examples of excessive or unfounded 
demands from controllers for personal id, particularly around timescales and reasons 
for making the request. We can provide these on request. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


Q6 Why have you given this score? 


The guidance focuses on obligations, gives the data subject little or no convenience, 
agency or discretion beyond the lowest common denominator in terms of 
technology, channels and communications within organisations. This risks 
discouraging, if not prohibiting innovation in ‘PrivTech’ which support a customer- 
centric, scalable approach to access and other rights which could create much 
needed consistency and transparency to this area of GDPR. It also seems at odds 
with the stated aims of the UK government’s Privacy & Consumer Advisory Group, to 
ensure: œ users are in control of their information e information isn’t centralised e 
users have a choice of who provides services on their behalf Creating arbitrary ‘toll 
booths’ around rights is not acceptable but there needs to be an updated 
understanding of how technology can empower and mediate for citizens in an area 
which is unfamiliar to them, beyond contractual and power-of-attorney relationships 
and where they are in control. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© O 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


The guidance is helpful in documenting the current ‘state of play’ for fulfilment of 
regulatory obligations under GDPR. This shows requests being the preserve of a 
centralized privacy function, with use of existing analogue channels and basic 
technology such as emails and web forms. What this guidance lacks is a structure 
by which there can be effective external oversight and benchmarking, just as the 
subject is given no choice or agency beyond what is at each organisation’s 
discretion. Are complaints to the ICO to be the only lever available to individual 
citizens to effect positive change? Particularly, the lack of recognition for new 
channels which require “proactive” engagement from organisations (which is 
required to provide privacy and security to the subject who has chosen these tools) 
seems shortsighted. Given the terms of service of social media platforms (plus well- 
founded concerns around their security and privacy) what is the logic behind their 
inclusion as a valid channel here? We would like to suggest the addition of a step in 
the process where an organisation sends a templated response to confirm if they 
hold a record on the subject and describe the general basis of their processing 
activities. This goes beyond regulatory obligations and treats data rights as an 
element of customer service. Where this is in place with our clients, they have 
received very positive feedback and a reduction in ‘problem’ requests. We are happy 
to provide evidence of this from our own experience and bring in case studies from 
third parties who take the same approach. 


Are you answering as: 
C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 
© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 
Tapmydata 

What sector are you from: 

Privacy Technology 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


